[NETNS]: Process netfilter hooks in initial namespace only.

There were no packets in the namespace other than initial previously. This will be changed in the neareast future. Netfilters are not namespace aware and should be processed in the initial namespace only for now. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
git-mirror · Mar 24, 2008 · 0be43f8 · 0be43f8
1 parent 05cf89d
commit 0be43f8
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
@@ -165,6 +165,14 @@ int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
 	unsigned int verdict;
 	int ret = 0;
 
+#ifdef CONFIG_NET_NS
+	struct net *net;
+
+	net = indev == NULL ? outdev->nd_net : indev->nd_net;
+	if (net != &init_net)
+		return 1;
+#endif
+
 	/* We may already have this, but read-locks nest anyway */
 	rcu_read_lock();